Information Disclosure from Cluster-wide Secret Read by ServiceAccounts or Nodes in Kubernetes

High Risk Infrastructure Security
kubernetesrbacsecretsinformation-disclosurecluster-wide

What it is

Information disclosure: Attackers using that identity can exfiltrate all secrets, pivot across namespaces, and compromise services.

Why it happens

Granting ClusterRole with get/list/watch verbs on secrets across all namespaces.

Root causes

Cluster-Wide Secret Access

Granting ClusterRole with get/list/watch verbs on secrets across all namespaces.

Service Account Over-Provisioning

Giving service accounts broad secret access rather than limiting to specific namespaces or secret names.

Default Role Expansion

Extending default roles like view or edit with secret read permissions without namespace scoping.

Fixes

1

Namespace-Scope Secret Access

Use Roles instead of ClusterRoles for secret access, limiting permissions to specific namespaces.

2

Named Secret Restrictions

Restrict secret access to specific secret names using resourceNames field in RBAC rules.

3

Implement Secret Management Tools

Use external secret management solutions (Vault, External Secrets Operator) to avoid storing secrets in Kubernetes.

Detect This Vulnerability in Your Code

Sourcery automatically identifies information disclosure from cluster-wide secret read by serviceaccounts or nodes in kubernetes and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities